A new phishing scam is taking aim at members of the U.S. military and their families, using unsolicited emails purportedly from USAA, one of the nation's largest financial services and insurance companies, to trick people into divulging their personal information to identity thieves.
And this isn't the first time it's happened.
USAA, which caters primarily to retired and active duty military members and their families, and the Navy Federal Credit Union in May were hit by a similar phishing scam that also attempted to extract social security numbers, credit card numbers, birth dates and other information used to either pilfer bank accounts or steal unsuspecting users' identities.
This time around, according to an advisory on security software maker AppRiver's website, the con artists are sending a slew of unsolicited emails with subject titles, such as "USAA Notification" or "Urgent Message for USAA customer" in the hope of getting just a small fraction of a percentage of recipients to click on a link embedded in the missive.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Those unfortunate or naïve enough to click on the offending link are then escorted to a fake login page that resembles USAA's legitimate website where they are prompted for their names, addresses, social security numbers and other vital personal data.
"This is actually quite unique in an attack like this as most of the time, you would be redirected to the actual USAA website," Troy Gill, a security researcher at AppRiver, wrote in a blog post. "Each unique domain is serving up a complete fake USAA website."
Gill added that his security team is actively monitoring and blocking more than 1,500 unique .tk domains that are being used in the scam.
"Although we do see phishing attempts directed at USAA members among hundreds of other financial firms on a regular basis, this is one of the more intricate and widespread phishing campaigns that we have seen in quite some time," he said.
USAA officials were not immediately available to comment on the phishing campaign.
According to the Anti-Phishing Working Group, a consortium of Web retailing, software, security and financial firms, more than 126,000 fake websites designed solely to steal users' personal information were discovered in the first half of this year alone.
AppRiver and other security software firms repeatedly advise consumers to ignore any suspicious, unsolicited emails they receive and to never click on any attachments or links contained in the emails.
To keep up with the latest phishing news, follow eSecurityPlanet on Twitter @eSecurityP.